[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for IP restriction
At 03:42 PM 1/7/01 +0100, Torsten Curdt wrote:
>In our intraweb we use an openldap server that holds all user specific
>data (including auth information like crypted passwords etc.). All other
>machines auth against this ldap server.
>
>I now want to allow a machine from our perimeter net to authen against
>this ldap server as well. But only this one machine and only with very
>limited access.
>
>I'm a bit scared to open the firewall because the perimeter machine
>gets full LDAP access to the crypted passwords. So what I was thinking of
>was to limit the access based on the machines IP.
Assumptions:
you are using OpenLDAP 1.2
62.132.127.51 is the perimeter system
Note:
no special access is necessary to bind
addr=<regex> is the expected syntax
order matters
So, make sure the first by clause of each access
directive is "by attr=62\.132\.127\.51 none". This
will deny all access excepting bind (authentication).
I would also suggest use of TCP wrappers or host level
firewall software on the LDAP server host to restrict
access as well as appropriate rules on your internal/perimeter
firewall.
Configuring 2.0 is slightly different as 1) "auth" access
must be granted to userPassword to allow bind and 2) addr
was replaced with peername.